Configuring isolation segments in IBM® Cloud Private Cloud Foundry deployments

Often, businesses need to isolate applications that are deployed on IBM Cloud Private Cloud Foundry. This requirement goes beyond providing another IBM Cloud Private Cloud Foundry deployment for each required segment. Government regulatory requirements stipulate that the compute resources for an application be isolated from other applications. The network that transits the data that is consumed and produced by these applications, must also be isolated from other data and applications.

Isolation segments can be used to separate applications as if they were in different IBM Cloud Private Cloud Foundry deployments without the need for redundant management and network complexity.

Preparing BOSH to support isolation segments

To enable isolation segments for a deployment, you must assign placement_tags properties to instances in your deployments. Each Diego cell that you want to include in an isolation segment, must include a placement_tags with the name of the isolation segment. Isolation segment names are not case-sensitive and must be unique. For example, in your ./data/CloudFoundry/diego-deploy.yml manifest, you might tag a Diego cell as segment_1:

- instances: 1
  name: cell
  networks:
  - name: default
  properties:
    diego:
     rep:
       [...]
        placement_tags:
        - segment_1

Deploying a new manifest

Run the following commands to log in to the inception container and deploy a new manifest:

$ docker exec -it <inception_container_name> bash $ bosh deploy /data/CloudFoundry/diego-deply.yml

Managing isolation segments with Cloud Foundry Command Line Interface

Creating isolation segments

Use the $ cf create-isolation-segment segment_1 Cloud Foundry CLI command to create isolation segments in IBM Cloud Private Cloud Foundry. The command returns the following result:

$ cf create-isolation-segment segment_1
Creating isolation segment segment_1 as johndoe...
OK

Note: The isolation segment name that is used in the Cloud Foundry CLI command must match the value that is specified in the placement_tags section of the Diego manifest file. If the names do not match, Cloud Foundry fails to place applications in the isolation segments when the applications are started or restarted in the spaces that are assigned to the isolation segments.

Viewing information about isolation segments

Administrators and users can use cf commands that are provided by the Cloud Foundry CLI to retrieve isolation segment configurations. As an administrator, you can see all isolation segments that are registered in the current Cloud Foundry deployments. Users can view only the isolation segments that are assigned to their organizations.

List isolation segments

Run the $ cf isolation-segments command to view the isolation segments available to your role. The command returns the following result:

$ cf isolation-segments
Getting isolation segments as johndoe...
OK

name           orgs
segment_1     org1

Viewing isolation segments that are enabled for an organization

As an administrator, you can assign multiple isolation segments to an organization.

Run the cf org <org_name> command to view isolation segments that are assigned to <org_name>. The command returns the following result:

$ cf org org1
Getting info for org org1 as johndoe@example.com...

name:                 org1
domains:              example.com, apps.example.com
quota:                paid
spaces:               development, production, staging
isolation segments:   segment_1

Viewing an isolation segment that is assigned to a space

Only one isolation segment can be assigned to a space.

Run the cf space <space_name> command to view isolation segments that are assigned to <space_name>. The command returns the following result:

$ cf space staging

name:                staging
org:                 org1
apps:
services:
isolation segment:   segment_1
space quota:
security groups:

Deleting isolation segments

Only administrators can delete isolation segments. Note: You cannot delete isolation segments that contain deployed applications.

Run the cf delete-isolation-segment <isolation_segment_name> command to delete the isolation segment. The command returns the following result:

$ cf delete-isolation-segment segment_1
Deleting isolation segment my_segment as admin...
OK